Great points Christian, thanks. -Barry
> On Mar 30, 2021, at 10:59, Christian Heimes <christ...@python.org> wrote: > > On 30/03/2021 19.01, Barry Warsaw wrote: >> Hello Mario, >> >> Thank you for your submission of PEP 648 (Extensible customizations of the >> interpreter at startup). The Python Steering Council has reviewed the PEP >> and before we can pronounce on it, we have some additional questions and >> comments we’d like you to address. Once these questions are settled, we are >> requesting that you post the PEP to python-dev for another round of comments. > > Hi Mario, > > could you please include a security analysis of the feature, too? I > would like to avoid new ways to exploit Python. > > In particular I don't think that -S (no site module) is the right way to > disable __sitecustomize__. It disables too much useful features. It > might be a good idea to disable __sitecustomize__ with -I (isolated mode). > > There should be a new audit event, too. > > Christian
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/Q7G26FI7TX42RDJH7BVKBQEOLHMZNTU4/ Code of Conduct: http://python.org/psf/codeofconduct/
